Skip to content

P1: NPM publish pipeline + package contents control #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kinin-Code-Offical merged 1 commit into from
Dec 22, 2025
Merged

P1: NPM publish pipeline + package contents control #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: NPM Publish

on:
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: 'Tag to publish (vX.Y.Z)'
required: true
type: string

jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
env:
RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.event.release.tag_name }}
steps:
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using workflow_dispatch, the workflow attempts to checkout a tag that might not exist yet. If someone manually triggers this workflow with a tag that hasn't been pushed, the checkout step will fail. Consider adding validation to ensure the tag exists, or document that the tag must be pushed before manually triggering this workflow.

Suggested change
steps:
steps:
- name: Validate tag exists (workflow_dispatch)
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
set -e
echo "Validating that tag '${RELEASE_TAG}' exists in remote repository '${{ github.repository }}'..."
if ! git ls-remote --exit-code --tags "https://github.com/${{ github.repository }}.git" "refs/tags/${RELEASE_TAG}" >/dev/null 2>&1; then
echo "Error: Tag '${RELEASE_TAG}' does not exist in the remote repository 'https://github.com/${{ github.repository }}.git'." >&2
echo "Please push the tag before manually triggering this workflow with it." >&2
exit 1
fi

Copilot uses AI. Check for mistakes.
- uses: actions/checkout@v4
with:
ref: ${{ env.RELEASE_TAG }}

- name: Use Node.js 22.x
Comment on lines +20 to +25
Copy link

@sourcery-ai sourcery-ai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Tighten validation of RELEASE_TAG when triggered via workflow_dispatch to avoid publishing from an arbitrary ref.

Since inputs.tag is user-supplied, this lets a workflow_dispatch caller point checkout at any ref name they choose, not necessarily a real tag or one following your scheme. That means you can publish from a commit that isn’t actually referenced by a Git tag, even though you later compare the version to package.json. To avoid this, either validate that inputs.tag corresponds to an existing tag (e.g. git rev-parse --verify refs/tags/$TAG) or rely on github.ref_name only for release events and restrict workflow_dispatch to selecting from existing tags.

Suggested change
steps:
- uses: actions/checkout@v4
with:
ref: ${{ env.RELEASE_TAG }}
- name: Use Node.js 22.x
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Validate release tag exists (workflow_dispatch only)
if: github.event_name == 'workflow_dispatch'
run: |
git rev-parse --verify "refs/tags/${RELEASE_TAG}"
- name: Check out release tag
run: |
git checkout "refs/tags/${RELEASE_TAG}"
- name: Use Node.js 22.x

uses: actions/setup-node@v4
with:
node-version: 22.x
registry-url: 'https://registry.npmjs.org'
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Check Version
run: |
TAG="${RELEASE_TAG#v}"
PKG=$(node -p "require('./package.json').version")
if [ "$PKG" != "$TAG" ]; then
echo "Version mismatch: Tag $TAG vs Package $PKG" >&2
exit 1
fi

- name: Build
run: npm run build
Comment on lines +44 to +45
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow builds the package but doesn't run tests before publishing to npm. While releases typically follow CI validation, manual workflow_dispatch triggers could bypass testing. Consider adding a test step (npm test) before the build step to ensure code quality, especially since the repository has comprehensive test coverage.

Copilot uses AI. Check for mistakes.

- name: Publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public
6 changes: 6 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@
"bin": {
"cloudsqlctl": "./dist/cli.cjs"
},
"files": [
"dist",
"README.md",
"LICENSE",
"CHANGELOG.md"
],
"engines": {
"node": ">=22.0.0"
},
Expand Down